Share Article

Researchers have found a new attack vector for TLS1.1 and 1.2 protocol implementations, which wolfSSL has promptly fixed in its leading embedded TLS product.

As the leading provider of TLS 1.2, we're happy to provide a fix for the break on the day it became public.

Bozeman, Montana (PRWEB)February 06, 2013

In the paper "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols" authors Nadhem AlFardan and Kenneth Paterson present a family of attacks that apply to CBC-mode for TLS (1.1 and 1.2) and DTLS (1.0 and 1.2). All of the attacks are based on a delicate timing analysis of the decryption processing needed in block mode. The various attacks are distinguishing, partial plaintext recovery, and full plaintext recovery in nature. All the attacks exploit the protocol when badly formatted padding is handled during processing. A MAC verification must still be performed on something to prevent existing timing attacks. The RFCs suggest using a zero-length pad which was thought to be safe, but these attacks show that it can be exploited.

There are a few ways to avoid the attack. Using stream ciphers is the simplest. Stream ciphers like ARC4, HC-128, and RABBIT are not vulnerable because they don't use block mode and padding. HC-128 and RABBIT are unique to wolfSSL and also have the benefit of being extremely fast. Another way is to use Authenticated Encryption like AES-GCM and AES-CCM instead of block mode with CBC. wolfSSL includes several cipher suites utilizing Authenticated Encryption algorithms. Lastly, wolfSSL implemented the countermeasures suggested in the paper in version 2.5.0 to avoid timing attacks.